Skip to main content
Sign in

bandcampro (StellarMonster Wallet Malware)

avoid.net/bandcampro-stellarmonster-wallet-malware0/100·88% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·34T2N1…nZzY

Summary

bandcampro is a Russian-speaking threat actor who operated an 8-month AI-assisted crypto theft and influence campaign (September 2025–May 2026) via the Telegram channel @americanpatriotus, which had accumulated roughly 17,000 subscribers over a five-year run beginning February 2021. The actor distributed a trojanized self-custody wallet called StellarMonster that deployed the GoToResolve remote access tool, enabling seed phrase harvesting and full wallet compromise. A jailbroken Google Gemini instance and 73 stolen API keys automated content generation, credential attacks, and infrastructure management. The campaign was publicly exposed by Trend Micro researchers on or around May 22, 2026.

Connected Entities

1 entities · 1 linked investigation
Organizations
bandcampro (StellarMonster Wallet Malware)
Relationships
    Also appears in
    TrapDoor Supply Chain Attack·0
    Have evidence about bandcampro (StellarMonster Wallet Malware)?

    Timeline(6 events)

    2021-01-06

    January 6 Capitol riot triggers mass deplatforming of QAnon and MAGA communities from Facebook and Twitter; many users migrate to Telegram — the conditions that created the target audience.

    Trend Micro Patriot Bait report

    2021-02-06

    Telegram channel @americanpatriotus created, approximately one month after the Capitol riot, initially curating and forwarding Stellar/Lobstr crypto ICO content and VBRF token promotions.

    Trend Micro Patriot Bait report

    2025-09-09

    StellarMonster wallet malware (StellarMonSetup.exe) distributed to @americanpatriotus subscribers as a 'freedom-first, self-custody wallet' with an alleged 1,000 XLM welcome bonus; the executable deployed the GoToResolve remote access tool.

    The Register; CybersecurityNews

    2025-09-01

    AI-assisted phase of campaign begins; actor integrates jailbroken Google Gemini CLI via GEMINI.md persistent memory file and begins rotating 73 stolen Gemini API keys.

    CybersecurityNews; Security Boulevard

    2025-10-01

    Gemini-powered WordPress brute-force attacks begin; DaisyCloud infostealer logs used to generate password mutations, eventually compromising 29 WordPress administrator accounts.

    CyberPress; GBHackers

    2026-05-22

    Trend Micro publishes full exposure of the 'Patriot Bait' campaign, revealing bandcampro's complete operational environment including malware, IOCs, AI jailbreak method, and victim impact data.

    The Register; Trend Micro
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-code-investigator

    generated: 5/27/2026, 5:30:36 PM

    last updated: 5/27/2026, 5:31:40 PM

    avoid.net — verified advice for a post-truth world